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Abstract 

We  show  that  the  single  operation  or  raising  a number  to  a rixed 
power  modulo  a composite  modulus  Is  sufficient  to  Implement  " digital 
signatures" : a way  of  creating  for  a (dlgltlied)  document  a racognhablo, 
unforgeable,  document-dependent  digitized  signature  whose  authenticity  the 
signer  can  not  later  deny.  An  "electronic  funds  transfer"  system  or 
"electronic  mall"  system  clearly  could  use  such  a scheme,  since  the 
messages  must  be  digitized  In  order  to  be  transmitted. 
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passing, electronic  funds  transfer,  cryptography. 
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Tha  operation  of  raising  a number  to  a fixed  power  modulo  a 
composite  modulus  is  shown  to  be  sufficient  to  Implement  "digital 
signatures":  a way  or  creating  for  a (digitized)  document  a recognizable, 
unforgeabla,  document-dependent,  digitized  signature  whose  authenticity  the 
signer  can  not  later  deny.  This  scheme  has  obvious  applications  In  tha 
design  of  "electronic  funds  transfer"  systems  or  "electronic  mall " systems, 
since  here  the  messages  must  be  digitized  In  order  to  be  transmitted. 

I.  Introduction 

Our  approach  Is  to  provide  an  Implementation  or  a "public-key 
cryptosystem" , an  elegant  concept  Invented  by  Dime  and  Heilman  [2].  Such 
a system  provides  digital  signatures,  as  well  as  enabling  enciphered 
communication  between  arbitrary  pairs  or  people,  without  the  necessity  of 
agreeing  on  an  enciphering  key  beforehand. 

In  a public-key  cryptosystem  each  user  ft  places  In  a public  file  an 
enciphering  algorithm  (or  key)  E g . User  ft  keeps  to  himself  the  details  of 
the  corresponding  deciphering  algorithm  D g which  satisfies  the  equation 


for  any  message  H. 


Both  Eg  and  Dg  must  be  efficiently  computable.  It  Is  assumed  that  ft 
does  not  compromise  D g when  revealing  E g.  That  Is,  It  should  not  be 
computationally  feasible  for  an  "enemy"  to  find  an  efficient  way  or 
computing  Og,  given  only  a specification  of  the  enciphering  algorithm  £4. 
(Clearly  a very  Inefficient  way  exists:  to  compute  Dg( C)  Just  enumerate 
all  possible  massages  M until  one  such  that  Erf H)  * C Is  found.  Then 
Dg (C)*H.)  Only  ft  will  be  able  to  compute  Dg  efficiently. 

Vhenever  another  user  (say  B ) wishes  to  sand  a massage  H to  ft,  he 
looks  up  £4  In  tha  public  file  and  then  sends  ft  tbe  enciphered  message 
ErfH).  User  ft  deciphers  tha  message  by  computing  DrfErfH))*H.  By  our 
assumptions  only  user  ft  can  decipher  the  message  ErfH)  sent  to  him.  If  ft 
wants  to  send  a response  to  B he  or  course  enciphers  It  using  Eg,  also 
available  In  the  public  file.  Therefore  no  transactions  between  ft  and  B 
are  required  to  Initiate  private  communication.  The  only  "setup"  required 
Is  that  each  user  ft  who  wishes  to  receive  private  communications  must  place 
his  enciphering  algorithm  Eg  In  the  public  file. 

If  electronic  message-passing  systems[7]  are  to  fully  replace  the 
existing  paperwork  systems  for  ordinary  business  transactions,  there  Is  an 
attribute  of  a paper  massage  that  will  have  to  be  duplicated  for  electronic 
massages:  they  can  be  "signed".  More  precisely,  tha  recipient  of  a 
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• signed " message  has  ' proof  that  the  message  originated  from  the  sender. 
This  guallty  Is  stronger  than  mere  authentication  (verifying  that  the 
message  when  received  actually  came  from  the  sender)  In  that  the  recipient 
of  a signed  document  Is  able  to  convince  a disinterested  third  party  (a 
Judge)  that  the  signer  actually  sent  the  message.  To  do  so,  the  Judge  must 
be  convinced  that  the  signed  message  was  not  forged  by  the  recipient 
hlmselff  In  an  ordinary  authentication  problem  the  recipient  does  not 
worry  about  this  possibility. 

We  would  like  to  remark  that  an  electronic,  or  digital,  signature 
must  be  message-dependent , as  well  as  signer-dependent . Otherwise  the 
recipient  could  modify  the  received  message  by  changing  a few  characters 
before  showing  the  message-signature  pair  to  a Judge.  Even  worse,  the 
recipient  would  be  able  to  attach  the  received  signature  to  any  message 
whatsoever.  Inasmuch  as  electronic  "cutting  and  pasting"  or  sequences  or 
characters  are  entirely  undetectable  In  the  final  product. 


u 


In  order  to  Implement  signatures  It  Is  necessary  that  E A and  0 A 
afreet  permutations  of  the  same  message  space  5,  so  that  In  addition  to  (1) 

we  have: 


Efi(Dj(M))*M,  for  any  message  H. 


(2) 


(If  the  "cipher  space"  - the  Image  of  the  message  space  S under  EA  - Is 
different  from  S then  (1)  need  not  Imply  (2),  since  0A  may  not  even  be 
defined  for  those  elements  of  the  message  space  which  are  not  In  the  cipher 
space . ) 

Suppose  now  that  user  A wants  to  send  user  B a "signed"  document  M. 
User  A then  sends  EB(DA(H))  to  B,  who  then  deciphers  It  with  DB  to  obtain 
M'*DA(H).  Now  using  EA  (available  on  the  public  rile),  B can  read  the 
• signed " document  EA(M')  * EA(DA(H))  * M.  Here  M'  will  act  as  A' s 
" signature " for  the  message  N. 

User  A can  not  deny  having  sent  B this  message,  since  no  one  but  A 
could  have  created  M'*DA(M),  under  our  assumption  that  0A  Is  not  computable 
from  EA.  User  B can  obviously  convince  a "Judge"  that  EA(M’)*H,  so  that  B 
has  "proof"  that  A has  signed  the  document. 

Clearly  B can  not  modify  H to  a different  version  H",  since  then  B 
would  have  to  create  the  corresponding  signature  BA(M")  as  well.  Therefore 
B has  received  a document  "signed"  by  A,  which  he  can  "prove"  that  A sent, 
but  which  B can  not  modify  In  any  detail.  (Nor  can  B forge  A' s signature 
on  any  other  document). 

We  observe  that  the  act  of  sending  a "signed"  message  does  not 
Increase  the  length  of  the  transmitted  version  of  the  message  (compared  to 
Its  "unsigned"  form)  at  all,  since  the  "signature"  Is  effected  by 
performing  a length-preserving  transformation  on  the  message  before 
transmission.  A vary  long  message  should  be  broken  Into  blocks,  each 
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block  labelled  with  a " this  Is  block  1 or  n"  notation,  and  transmitted 
after  " signing " each  block  saparataly. 

The  concept  of  a public-key  cryptosystem  as  described  above,  and 
Its  potential  use  as  a mans  of  Implemntlng  digital  " signatures' , are  due 
to  Dime  and  Hellmn[2J.  The  reader  Is  encouraged  to  read  this  excellent 
article  for  further  background  and  elaboration  or  this  concept,  as  well  as 
for  a discussion  of  other  problems  In  the  area  or  cryptography.  Their 
article  was  the  motivation  for  the  present  work,  In  that  while  they 
presented  the  concept  of  a public-key  cryptosystem,  they  did  not  present 
any  practical  way  of  Implemntlng  such  a system.  In  this  paper  we  present  a 
candidate  Implemntatlon  schem. 

If  the  security  of  the  system  proposed  here  turns  out  to  be 
satisfactory,  then  we  will  as  a corollary  have  demnstrated  the  existence 
of  "trap-door  one-way  functions",  as  defined  In  [2],  A "trap-door  one-way 
function"  Is  a function  which  Is  easy  to  compute  and  easy  to  Invert,  but 
for  which  the  Inverse  function  Is  difficult  to  compute  from  a description 
of  the  function  Itself. 


II.  Implemntatlon 

The  schem  presented  here  enciphers  a mssage  H by  raising  It  to  a 
fixed  power  s modulo  a certain  composite  number  r . The  deciphering 
operation  Is  performd  by  raising  the  received  mssage  to  another  power  t, 
again  modulo  r . User  A makes  public  r and  s,  and  keeps  t private. 
(These  values  should  more  properly  be  denoted  r^,  s^,  end  t^,  since  each 
user  will  have  separate  set  of  values,  but  In  what  follows  we  will  only 
concern  outselves  with  user  A's  system,  and  will  omit  the  subscripts . ) We 
assume  that  the  mssage  can  be  viewed  as  a number  less  than  r,  or  that  It 
can  be  broken  Into  a series  or  blocks,  each  or  which  can  be  viewed  as  a 
number  less  than  r which  will  be  separately  enciphered. 

We  observe  that  raising  a number  x to  the  s-th  power  modulo  r 
requires  only  Oflog^rf-Tfr))  operations  to  perform,  If  s Is  less  than 

r,  where  T(r ) denotes  the  1 1m  required  to  multiply  two  numbers  modulo  r 
This  bound  Is  easily  derived  by  considering  the  binary  representation  or 

s,  reading  from  left  to  right,  es  a rule  for  obtaining  Xs  from  1 by 
trotting  each  1 as  on  Instruction  to  "square  the  preceding  value  and 
multiply  the  result  by  x",  and  each  0 as  an  Instruction  to  "square  the 
preceding  value".  Thus  wo  may  consider  enciphering  and  deciphering  to  be 
"arriclent"  operations.  The  fact  that  the  enciphering  and  deciphering 
operations  are  similar  leads  to  a simple  Implementation  (concelvebly  the  ^ 
whole  operation  could  be  Implemnted  on  a single  Integrated  circuit  chip). 

As  a small  running  example,  consider  the  case 


r • 47-00  * 2773,  s • 17 . 
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y ith  an  r of  this  she  we  can  encode  two  engllsh  letters  In  a block,  by 
mapping  each  letter  Into  a two-digit  number  (blank*00,  A*01,  B*02,  ..., 
1*20 ) . Thus  the  message 

ITS  ALL  GREEK  TO  HE 

(Julius  Caesar,  1,11,200)  would  be  encoded  Into  ten  blocks: 

0920  1900  0112  1200  0710  0005  1100  2015  0013  0500  . 

Since  s*10001  In  binary,  the  encoding  or  the  first  block  goes  as: 

H®  ■ I, 

H*  ■ (1)2-920  m 920,  (for  the  leftmost  1) 

M2  ■ (920)2  • 035, 

H*  • (035)2  m 1140, 

M®  ■ (U40)2  • 1030, 

H17  • (1030)2-920  • 940. 

(Here  all  arithmetic  Is  done  modulo  2773.)  In  a similar  fashion,  the  whole 
message  Is  enciphered  as: 

0940  2342  1004  1444  2003  2390  0770  0774  0219  1055  . 

In  order  to  create  e realistically-shed  public-key  cryptosystem, 
we  use  the  fact  that  to  determine  whether  a given  Integer  n Is  prime  or 
not  can  also  be  performed  efficiently,  even  If  n Is  over  100  digits 
long.  As  an  Illustration  of  the  kind  or  test  used  by  these  procedures, 
the  algorithms  described  In  [4,0]  are  based  on  the  following  facts.  For 
every  prime  number  p and  every  number  a not  congruent  to  aero,  mod  p,  we 
have 


a*~*  • 1 (mod  p)  (3) 

On  the  other  hand,  for  most  composite  numbers  n at  least  one-half  of  the 
numbers  a,  0<a<n,  rail  to  satisfy  the  analogous  relation 

an“ ^ m 1 (mod  n).  (4) 

Once  an  a which  violates  (4)  Is  found  we  have  " proof’  that  n Is  In  fact 
composite.  For  example,  since  S2772  m joMfmod  2773),  we  know  that  2773 
Is  composite.  We  refer  the  reader  to  the  original  papers  discussing  these 
results  [4,0, 6,0]  for  a detailed  discussion  of  these  procedures,  Including 
the  appropriate  tests  to  use  for  those  numbers  n which  satisfy  (4)  for 
all  a (the  Carmichael  numbers). 

It  Is  Important  to  note  that  the  efficient  primal Ity-testlng 
algorithms  Just  described  do  not  In  general,  when  given  as  Input  a 
composite  Integer  n , determine  any  of  the  factors  of  n . It  Is  somewhat 
surprising  that  while  It  Is  relatively  easy  to  determine  whether  n Is 
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prime  or  composite,  there  are  no  efficient  ways  known  for  computing  the 
prime  factorization  or  a composite  number  n . To  determine  the 
factorization  or  an  Integer  n which  Is  the  product  or  Just  two  50-dlglt 
prime  numbers  Is  considerably  beyond  current  capabilities.  Knuth[3, 
section  4.5.4]  gives  an  excellent  presentation  or  several  efficient 
factoring  algorithms.  The  most  efficient  general  factoring  algorithm 
known  to  the  authors  Is  due  to  Pollard  [6];  It  will  factor  a number  n In 
0(nl/4)  steps.  A 125-dlglt  number  can  be  tested  ror  primal Ity  In  about 
one  minute;  tee  estimate  that  factoring  a number  of  that  size  could  require 
40  quadrillion  years  using  Pollard's  algorithm.  If  we  may  quote  3. 
Brlllhart,  0.  H.  Lehmer,  and  J.  L.  Selfridge  on  the  difficulty  of 
factoring, 

"In  general  nothing  but  frustration  can  be  expected  to  come 

from  an  attack  on  a number  of  50  or  more  digits,  even  with 

the  speeds  available  with  modern  computers."  [1,  page  645] 

Let  d be  an  Integer  such  that  determining  the  prime  factorization 
of  a number  n which  Is  the  product  of  Just  two  prime  numbers  or  length  d 
(In  digits)  Is  "computationally  Impossible".  Choosing  d*40  seems  to  be 
satisfactory  at  present.  If  better  factoring  algorithms  are  discovered 
then  the  appropriate  value  of  d would  have  to  be  Increased,  but  as  long  as 
testing  for  prlmallty  Is  slgniricanly  easier  than  factoring  the  scheme  to 
be  described  will  have  the  desired  properties. 

When  user  A desires  to  put  on  the  public  file  his  enciphering  key, 
consisting  of  the  Integers  r and  s , he  does  so  by  determining  two  d- 
dlglt  "random"  prime  numbers  p and  q , and  an  Integer  s which  Is 
relatively  prime  to  (p-l)-(q-l)  . (The  reason  for  this  condition  will  be 
explained  shortly.)  Then  A puts  on  public  file  the  Integers  r and  s , 
where  r Is  defined  to  be  p-q  . By  assumption,  only  A will  have  available 
the  prime  factors  p and  q of  r , even  though  r Is  on  the  public  file. 
When  A makes  r and  s public,  the  values  or  p and  q are  effectively 
hidden  from  everyone  else  due  to  the  computational  Impossibility  of 
factoring  r In  a reasonable  amount  of  time. 

For  our  example  we  have  p * 47,  q * 59,  r * p q * 2.773. 

i 

The  subtask  of  rinding  a d-dlglt  "random"  prime  number  Is  easily 
accomplished  by  rirst  generating  an  (odd)  d-dlglt  random  number  and  then 
Incrementing  It  by  2 until  a prime  number  Is  found.  By  the  prime  number 
theorem,  we  should  expect  to  have  to  do  about  0(d)  Incrementations  before 
finding  a prime.  In  order  to  avoid  those  few  cases  where  the  efficient 
primal Ity-testlng  algorithms  do  yield  a factor,  It  Is  desirable  to  ensure 
that  both  (p-1)  and  (q-1)  themselves  contain  large  prime  rectors  and 
that  gcd( p-1  ,r-l)  and  gcd(q-l,r-l)  are  both  small.  The  latter  condition 
Is  easily  checked.  To  obtain  a prime  number  p such  that  (p-1)  has  a 
large  prime  factor  one  can  generate  a d-dlglt  prime  number  u and  then 
find  the  first  prime  In  the  sequence  1u  * 1,  for  1*2, 4, 6,...  . By  the 
prime  number  theorem  for  arithmetic  progressions  we  can  expect  to  find  a 
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prim  after  examining  0(d)  elements  or  this  series.  (There  Is  some 
additional  security  provided  by  selecting  u In  the  same  mnner  to  be  of 
the  Torm  Jv  * 1,  where  v Is  a large  prim.) 

The  enciphering  algorithm  E ^ Is  thus  the  operation: 

EA(M)  ■ M*  (nod  r ) 
for  any  mssage  M. 

To  obtain  the  corresponding  deciphering  algorithm,  we  will  use  the 
Identity  (due  to  Euler  and  Fermat)  that  for  any  mssage  M which  Is 
relatively  prim  to  r: 

• 1 (mod  r),  (5) 

where  4(r)  Is  the  Euler  totlent  function  giving  the  number  of  positive 
Integers  less  than  r which  are  relatively  prim  to  r . Equation  (5)  Is 
easily  proved:  the  set  of  residues  (mod  r)  which  are  relatively  prim  to  r 
form  a group  of  order  4(r)  under  multiplication,  and  In  any  group  the 
order  or  an  element  must  divide  the  order  or  the  group.  Since  4(p)*p-l 
for  prim  numbers  p , equation  (3)  Is  a special  case  of  (S).  In  our  case, 
we  have 

4(r)  ' 4(P)-4(d),  (6> 

• (P-1)(Q-1) 

* p q - (p  + q)  * 1 

by  the  elemntary  properties  or  the  totlent  funct Ion  [5].  In  our  example  we 
have 


4(2773)  * 46-56  * 2666. 

It  Is  easy  to  see  that  the  factorisation  or  r enables  the 
computation  or  4(r)  by  (6),  and  that  conversely  the  ability  to  compute 
4(r)  enables  the  factorisation  or  r , since  (p*q)  Is  easily  obtained 
from  r and  4(r),  and  (p-q)  can  be  obtained  by  taking  the  square  root 
of  (p+qfi  - 4pq.  By  our  assumptions  about  the  size  of  d , therefore.  It 
Is  not  possible  for  anyone  except  A to  know  4(r). 

Since  s Is  relatively  prim  with  respect  to  4(r)  , It  has  a 
multiplicative  Inverse  t In  the  ring  of  Integers  modulo  4(r).  Thus  we 
have  that 

s-t  • 1 (mod  4(r)). 

The  value  of  t Is  easily  computed  using  a simple  variant  of 
Euclid's  algorithm  to  compute  the  greatest  common  divisor  of  s and 
4(r).  (See  exercise  4.3.2.13  In  [3].)  Briefly,  the  procedure  Is  as 
follows.  Euclid's  algorithm  computes  gc dfXQ.Xj)  by  computing  a series 
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x0,  Xj,  ...,  xk  where  x^j  * x^j  mod  xi  end  x^gcdfxgtXj).  It  Is 
simple  to  compute  In  addition  tor  each  x1  c oefflclents  a1  and  b1  such 
that  x^a^xn^b^xj.  If  xk*l  then  bk  Is  the  Inverse  or  *,  mod  xn.  For 
our  example  we  have  . 

x0  * 2006,  aQ  * 1,  bQ  * 0, 

Xj  • 17,  aj  * 0,  bj  • 1, 

xz  * 10,  a2  Ml,  b?  * ‘160,  ( since  2006*166 17*10), 

x3  * 1,  a3  • ~1,  b3  • 167  (since  17*1-16+1). 

Therefore  the  Inverse  of  17 (mod  2006)  la  167. 

It  Is  now  easy  to  see  that 

(£/,(*))*  - (M5)1  (mod  r) 

■ M5'*  (mod  r) 

. tf+w*  (mod  r) 

• M1  m M (mod  r), 

for  some  Integer  u.  Therefore  the  deciphering  function 
Da(C ) ■ Ct  (mod  r) 

Is  the  desired  Inverse  operation.  (The  reader  can  check  In  our  example 
that  046107  • 920( mod  2773).) 


It  should  of  course  be  checked  that  t Is  large  enough  so  that  a 
direct  search  for  It  Is  Infeasible.  The  value  of  s Is  rather  arbitrary 
but  should  be  chosen  larger  than  log2(r),  so  that  every  message  suffers 
some  " wrap-around ■ (reduction  mod  r)  during  the  encoding  process. 

The  preceding  analysis  was  based  on  the  assumption  that  the  Input 
message  M was  relatively  prime  to  r . While  not  all  numbers  less  than 
r are  relatively  prime  to  r , only  those  which  are  multiples  of  either  p 
or  q are  not.  Therefore  the  chances  of  finding,  among  a collection  of 
messages,  one  which  Is  not  relatively  prime  to  r Is  very  small,  say  on 
the  order  of  10"*  , and  Is  therefore  negligible.  This  must  be  so  by  our 
assumption  since  If  It  were  likely  or  easy  to  find  a number  less  than  r 
which  was  not  relatively  prime  to  r , then  r could  be  factored.  (The 
gcd  of  this  number  and  r will  be  either  p or  q.) 

It  Is  Interesting  to  note  that  the  enciphering  operation  E^(M)  Is 
always  Invertible,  even  IT  the  message  M Is  a multiple  of  p (or 
similarly,  q).  The  deciphering  operation  Is  modified  as  follows.  We  first 
note  that  If  M Is  a multiple  of  p then  so  Is  Tk(H).  The  decoder  can 
detect  this  fact  easily.  IT  the  decoder  receives  a multiple  or  p ft 
concludes  that  H Is  a multiple  of  p,  so  that  In  order  to  determine  M 
uniquely  It  need  only  determine  the  residue  of  M modulo  q,  by  the  Chinese 
remainder  theorem.  The  residue  of  M modulo  q can  be  found  by: 
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M ■ (Ea( H))1'  (mod  q), 

where  t'  Is  the  Inverse  of  s modulo  (q-1).  The  existence  or  t'  Is 
guaranteed  by  the  Tact  that  s Is  relatively  prime  to 
(p-l)-(q-l),  and  therefore  to  q-1.  To  decoded  a received  message  which 
is  a multiple  or  p It  therefore  suffices  to  raise  It  to  the  t’-th 
power,  modulo  r.  In  our  example  the  Inverse  of  17,  mod  56,  Is  41.  Thus 
the  value  t'*41  (Instead  of  157 ) would  be  used  to  decode  those  messages 
which  are  a multiple  of  p*47.  Similarly  those  received  messages  which  are 
a multiple  of  q*59  can  be  decoded  with  a value  of  t'*19. 


III.  Remarks 

We  note  that  a minor  awkwardness  exists  in  using  our  system  ror 
digital  signatures  In  the  rashlon  proposed  by  Dime  and  Heilman.  Namely, 
It  may  be  necessary  to  "reblock"  the  signed  message  for  encryption  since 
the  value  or  r used  for  signatures  may  be  larger  than  that  used  for 
enciphering  (every  user  has  his  own  value  of  r).  If  desired,  this  problem 
can  be  avoided  as  follows.  A certain  threshold  value  h Is  decided  upon 
(say  h - 10*^0),  £very  usgr  tpen  maintains  two  r,s  pairs  In  the  public 
file,  one  for  enciphering  purposes  and  one  for  signature  purposes.  If 
every  user’s  signature  r Is  less  than  h,  and  every  user's  enciphering  r 
Is  greater  than  h , then  reblocking  In  order  to  encipher  a signed  message 
will  never  be  necessary. 

We  now  examine  this  scheme  from  the  viewpoint  of  the  " enemy 
cryptanalyst " who  wants  to  * break  the  system ",  that  Is,  to  find  an 
efficient  way  of  computing  DA  given  only  r and  s to  work  with.  By  our 
previous  assumptions  he  can  not  do  It  In  the  same  way  that  A did,  since  he 
does  not  have  4(r)  available  to  him.  He  has  two  approaches  he  may  try: 
(1)  determine  t or  some  equivalent  number  In  some  fashion  that  does  not 
require  the  knowledge  of  4(r),  or  (Z)  find  an  altogether  different  method 
of  computing  D 

A method  for  determining  t Is  unlikely  to  exist  since  It  would 
more  or  less  enable  a calculation  of  +(r),  since  It  Is  a factor  of 
s-t  - 1.  More  precisely,  a method  for  calculating  a t corresponding  to 
an  arbitrary  s would  thus  enable  the  cryptanalyst  to  determine  many 
different  multiples  of  +(r)  , by  varying  s . The  gcd  or  these 
quantities  Is  likely  to  be  +(r)  . In  any  case  Gary  Miller  [4]  has  In 
fact  shown  that  determining  any  multiple  of  +(r)  enables  r to  be 
factored. 
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As  for  the  the  second  approach,  we  have  no  proof  that  this  Is 
Infeasible,  nor  Is  this  a " well-known " computationally  Intractable  problem. 
However,  we  feel  reasonably  confident  that  this  Is  the  case.  Just  as  any 
modern  cryptographic  system  must  be  "certified*  by  proving  Itself  Immune  to 
a sophisticated  cryptanalytlc  attack,  the  scheme  proposed  here  must  be 
similarly  certified  by  having  the  preceding  conjecture  of  Intractability 
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withstand  a concerted  attempt  to  disprove  It.  The  reader  Is  hereby 
challenged  to  rind  a way  to  ' break " this  scheme. 
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